2 * Unix SMB/CIFS implementation.
4 * NTLMSSP Signing routines
5 * Copyright (C) Andrew Bartlett 2003-2005
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 #include "../libcli/auth/libcli_auth.h"
25 #define CLI_SIGN "session key to client-to-server signing key magic constant"
26 #define CLI_SEAL "session key to client-to-server sealing key magic constant"
27 #define SRV_SIGN "session key to server-to-client signing key magic constant"
28 #define SRV_SEAL "session key to server-to-client sealing key magic constant"
31 * Some notes on then NTLM2 code:
33 * NTLM2 is a AEAD system. This means that the data encrypted is not
34 * all the data that is signed. In DCE-RPC case, the headers of the
35 * DCE-RPC packets are also signed. This prevents some of the
36 * fun-and-games one might have by changing them.
40 static void dump_arc4_state(const char *description
,
41 struct arcfour_state
*state
)
43 dump_data_pw(description
, state
->sbox
, sizeof(state
->sbox
));
46 static void calc_ntlmv2_key(unsigned char subkey
[16],
47 DATA_BLOB session_key
,
50 struct MD5Context ctx3
;
52 MD5Update(&ctx3
, session_key
.data
, session_key
.length
);
53 MD5Update(&ctx3
, (const unsigned char *)constant
, strlen(constant
)+1);
54 MD5Final(subkey
, &ctx3
);
57 enum ntlmssp_direction
{
62 static NTSTATUS
ntlmssp_make_packet_signature(struct ntlmssp_state
*ntlmssp_state
,
63 const uchar
*data
, size_t length
,
64 const uchar
*whole_pdu
, size_t pdu_length
,
65 enum ntlmssp_direction direction
,
69 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
74 *sig
= data_blob(NULL
, NTLMSSP_SIG_SIZE
);
76 return NT_STATUS_NO_MEMORY
;
81 DEBUG(100,("ntlmssp_make_packet_signature: SEND seq = %u, len = %u, pdu_len = %u\n",
82 ntlmssp_state
->ntlm2_send_seq_num
,
84 (unsigned int)pdu_length
));
86 SIVAL(seq_num
, 0, ntlmssp_state
->ntlm2_send_seq_num
);
87 ntlmssp_state
->ntlm2_send_seq_num
++;
88 hmac_md5_init_limK_to_64(ntlmssp_state
->send_sign_key
, 16, &ctx
);
92 DEBUG(100,("ntlmssp_make_packet_signature: RECV seq = %u, len = %u, pdu_len = %u\n",
93 ntlmssp_state
->ntlm2_recv_seq_num
,
95 (unsigned int)pdu_length
));
97 SIVAL(seq_num
, 0, ntlmssp_state
->ntlm2_recv_seq_num
);
98 ntlmssp_state
->ntlm2_recv_seq_num
++;
99 hmac_md5_init_limK_to_64(ntlmssp_state
->recv_sign_key
, 16, &ctx
);
103 dump_data_pw("pdu data ", whole_pdu
, pdu_length
);
105 hmac_md5_update(seq_num
, 4, &ctx
);
106 hmac_md5_update(whole_pdu
, pdu_length
, &ctx
);
107 hmac_md5_final(digest
, &ctx
);
109 if (encrypt_sig
&& (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_KEY_EXCH
)) {
112 arcfour_crypt_sbox(&ntlmssp_state
->send_seal_arc4_state
, digest
, 8);
114 case NTLMSSP_RECEIVE
:
115 arcfour_crypt_sbox(&ntlmssp_state
->recv_seal_arc4_state
, digest
, 8);
120 SIVAL(sig
->data
, 0, NTLMSSP_SIGN_VERSION
);
121 memcpy(sig
->data
+ 4, digest
, 8);
122 memcpy(sig
->data
+ 12, seq_num
, 4);
124 dump_data_pw("ntlmssp v2 sig ", sig
->data
, sig
->length
);
128 crc
= crc32_calc_buffer(data
, length
);
129 if (!msrpc_gen(ntlmssp_state
, sig
, "dddd", NTLMSSP_SIGN_VERSION
, 0, crc
, ntlmssp_state
->ntlmv1_seq_num
)) {
130 return NT_STATUS_NO_MEMORY
;
133 ntlmssp_state
->ntlmv1_seq_num
++;
135 dump_arc4_state("ntlmssp hash: \n", &ntlmssp_state
->ntlmv1_arc4_state
);
136 arcfour_crypt_sbox(&ntlmssp_state
->ntlmv1_arc4_state
, sig
->data
+4, sig
->length
-4);
141 NTSTATUS
ntlmssp_sign_packet(struct ntlmssp_state
*ntlmssp_state
,
142 const uchar
*data
, size_t length
,
143 const uchar
*whole_pdu
, size_t pdu_length
,
148 if (!(ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SIGN
)) {
149 DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
150 return NT_STATUS_INVALID_PARAMETER
;
153 if (!ntlmssp_state
->session_key
.length
) {
154 DEBUG(3, ("NO session key, cannot check sign packet\n"));
155 return NT_STATUS_NO_USER_SESSION_KEY
;
158 nt_status
= ntlmssp_make_packet_signature(ntlmssp_state
,
160 whole_pdu
, pdu_length
,
161 NTLMSSP_SEND
, sig
, True
);
167 * Check the signature of an incoming packet
168 * @note caller *must* check that the signature is the size it expects
172 NTSTATUS
ntlmssp_check_packet(struct ntlmssp_state
*ntlmssp_state
,
173 const uchar
*data
, size_t length
,
174 const uchar
*whole_pdu
, size_t pdu_length
,
175 const DATA_BLOB
*sig
)
180 if (!ntlmssp_state
->session_key
.length
) {
181 DEBUG(3, ("NO session key, cannot check packet signature\n"));
182 return NT_STATUS_NO_USER_SESSION_KEY
;
185 if (sig
->length
< 8) {
186 DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
187 (unsigned long)sig
->length
));
190 nt_status
= ntlmssp_make_packet_signature(ntlmssp_state
,
192 whole_pdu
, pdu_length
,
193 NTLMSSP_RECEIVE
, &local_sig
, True
);
195 if (!NT_STATUS_IS_OK(nt_status
)) {
196 DEBUG(0, ("NTLMSSP packet check failed with %s\n", nt_errstr(nt_status
)));
197 data_blob_free(&local_sig
);
201 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
202 if (local_sig
.length
!= sig
->length
||
203 memcmp(local_sig
.data
, sig
->data
, sig
->length
) != 0) {
204 DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
205 dump_data(5, local_sig
.data
, local_sig
.length
);
207 DEBUG(5, ("BAD SIG: got signature of\n"));
208 dump_data(5, sig
->data
, sig
->length
);
210 DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
211 data_blob_free(&local_sig
);
212 return NT_STATUS_ACCESS_DENIED
;
215 if (local_sig
.length
!= sig
->length
||
216 memcmp(local_sig
.data
+ 8, sig
->data
+ 8, sig
->length
- 8) != 0) {
217 DEBUG(5, ("BAD SIG NTLM1: wanted signature of\n"));
218 dump_data(5, local_sig
.data
, local_sig
.length
);
220 DEBUG(5, ("BAD SIG: got signature of\n"));
221 dump_data(5, sig
->data
, sig
->length
);
223 DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature!\n"));
224 data_blob_free(&local_sig
);
225 return NT_STATUS_ACCESS_DENIED
;
228 dump_data_pw("checked ntlmssp signature\n", sig
->data
, sig
->length
);
229 DEBUG(10,("ntlmssp_check_packet: NTLMSSP signature OK !\n"));
231 data_blob_free(&local_sig
);
236 * Seal data with the NTLMSSP algorithm
240 NTSTATUS
ntlmssp_seal_packet(struct ntlmssp_state
*ntlmssp_state
,
241 uchar
*data
, size_t length
,
242 uchar
*whole_pdu
, size_t pdu_length
,
245 if (!(ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SEAL
)) {
246 DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
247 return NT_STATUS_INVALID_PARAMETER
;
250 if (!ntlmssp_state
->session_key
.length
) {
251 DEBUG(3, ("NO session key, cannot seal packet\n"));
252 return NT_STATUS_NO_USER_SESSION_KEY
;
255 DEBUG(10,("ntlmssp_seal_data: seal\n"));
256 dump_data_pw("ntlmssp clear data\n", data
, length
);
257 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
258 /* The order of these two operations matters - we must first seal the packet,
259 then seal the sequence number - this is because the send_seal_hash is not
260 constant, but is is rather updated with each iteration */
261 NTSTATUS nt_status
= ntlmssp_make_packet_signature(ntlmssp_state
,
263 whole_pdu
, pdu_length
,
264 NTLMSSP_SEND
, sig
, False
);
265 if (!NT_STATUS_IS_OK(nt_status
)) {
269 arcfour_crypt_sbox(&ntlmssp_state
->send_seal_arc4_state
, data
, length
);
270 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_KEY_EXCH
) {
271 arcfour_crypt_sbox(&ntlmssp_state
->send_seal_arc4_state
, sig
->data
+4, 8);
275 crc
= crc32_calc_buffer(data
, length
);
276 if (!msrpc_gen(ntlmssp_state
, sig
, "dddd", NTLMSSP_SIGN_VERSION
, 0, crc
, ntlmssp_state
->ntlmv1_seq_num
)) {
277 return NT_STATUS_NO_MEMORY
;
280 /* The order of these two operations matters - we must first seal the packet,
281 then seal the sequence number - this is because the ntlmv1_arc4_state is not
282 constant, but is is rather updated with each iteration */
284 dump_arc4_state("ntlmv1 arc4 state:\n",
285 &ntlmssp_state
->ntlmv1_arc4_state
);
286 arcfour_crypt_sbox(&ntlmssp_state
->ntlmv1_arc4_state
, data
, length
);
288 dump_arc4_state("ntlmv1 arc4 state:\n",
289 &ntlmssp_state
->ntlmv1_arc4_state
);
291 arcfour_crypt_sbox(&ntlmssp_state
->ntlmv1_arc4_state
, sig
->data
+4, sig
->length
-4);
293 ntlmssp_state
->ntlmv1_seq_num
++;
295 dump_data_pw("ntlmssp signature\n", sig
->data
, sig
->length
);
296 dump_data_pw("ntlmssp sealed data\n", data
, length
);
302 * Unseal data with the NTLMSSP algorithm
306 NTSTATUS
ntlmssp_unseal_packet(struct ntlmssp_state
*ntlmssp_state
,
307 uchar
*data
, size_t length
,
308 uchar
*whole_pdu
, size_t pdu_length
,
311 if (!ntlmssp_state
->session_key
.length
) {
312 DEBUG(3, ("NO session key, cannot unseal packet\n"));
313 return NT_STATUS_NO_USER_SESSION_KEY
;
316 DEBUG(10,("ntlmssp_unseal_packet: seal\n"));
317 dump_data_pw("ntlmssp sealed data\n", data
, length
);
319 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
320 /* First unseal the data. */
321 arcfour_crypt_sbox(&ntlmssp_state
->recv_seal_arc4_state
, data
, length
);
322 dump_data_pw("ntlmv2 clear data\n", data
, length
);
324 arcfour_crypt_sbox(&ntlmssp_state
->ntlmv1_arc4_state
, data
, length
);
325 dump_data_pw("ntlmv1 clear data\n", data
, length
);
327 return ntlmssp_check_packet(ntlmssp_state
, data
, length
, whole_pdu
, pdu_length
, sig
);
331 Initialise the state for NTLMSSP signing.
333 NTSTATUS
ntlmssp_sign_init(struct ntlmssp_state
*ntlmssp_state
)
337 mem_ctx
= talloc_init("weak_keys");
339 return NT_STATUS_NO_MEMORY
;
342 DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
343 debug_ntlmssp_flags(ntlmssp_state
->neg_flags
);
345 if (ntlmssp_state
->session_key
.length
< 8) {
346 TALLOC_FREE(mem_ctx
);
347 DEBUG(3, ("NO session key, cannot intialise signing\n"));
348 return NT_STATUS_NO_USER_SESSION_KEY
;
351 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
352 DATA_BLOB weak_session_key
= ntlmssp_state
->session_key
;
353 const char *send_sign_const
;
354 const char *send_seal_const
;
355 const char *recv_sign_const
;
356 const char *recv_seal_const
;
357 DATA_BLOB send_seal_key_blob
, recv_seal_blob
;
359 switch (ntlmssp_state
->role
) {
361 send_sign_const
= CLI_SIGN
;
362 send_seal_const
= CLI_SEAL
;
363 recv_sign_const
= SRV_SIGN
;
364 recv_seal_const
= SRV_SEAL
;
367 send_sign_const
= SRV_SIGN
;
368 send_seal_const
= SRV_SEAL
;
369 recv_sign_const
= CLI_SIGN
;
370 recv_seal_const
= CLI_SEAL
;
373 TALLOC_FREE(mem_ctx
);
374 return NT_STATUS_INTERNAL_ERROR
;
378 Weaken NTLMSSP keys to cope with down-level clients, servers and export restrictions.
379 We probably should have some parameters to control this, once we get NTLM2 working.
382 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_128
) {
384 } else if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_56
) {
385 weak_session_key
.length
= 7;
386 } else { /* forty bits */
387 weak_session_key
.length
= 5;
390 dump_data_pw("NTLMSSP weakend master key:\n",
391 weak_session_key
.data
,
392 weak_session_key
.length
);
395 calc_ntlmv2_key(ntlmssp_state
->send_sign_key
,
396 ntlmssp_state
->session_key
, send_sign_const
);
397 dump_data_pw("NTLMSSP send sign key:\n",
398 ntlmssp_state
->send_sign_key
, 16);
400 /* SEND: seal ARCFOUR pad */
401 calc_ntlmv2_key(ntlmssp_state
->send_seal_key
,
402 weak_session_key
, send_seal_const
);
403 dump_data_pw("NTLMSSP send seal key:\n",
404 ntlmssp_state
->send_seal_key
, 16);
406 send_seal_key_blob
.data
= ntlmssp_state
->send_seal_key
;
407 send_seal_key_blob
.length
= 16;
408 arcfour_init(&ntlmssp_state
->send_seal_arc4_state
,
409 &send_seal_key_blob
);
411 dump_arc4_state("NTLMSSP send seal arc4 state:\n",
412 &ntlmssp_state
->send_seal_arc4_state
);
415 calc_ntlmv2_key(ntlmssp_state
->recv_sign_key
,
416 ntlmssp_state
->session_key
, recv_sign_const
);
417 dump_data_pw("NTLMSSP recv send sign key:\n",
418 ntlmssp_state
->recv_sign_key
, 16);
420 /* RECV: seal ARCFOUR pad */
421 calc_ntlmv2_key(ntlmssp_state
->recv_seal_key
,
422 weak_session_key
, recv_seal_const
);
424 dump_data_pw("NTLMSSP recv seal key:\n",
425 ntlmssp_state
->recv_seal_key
, 16);
427 recv_seal_blob
.data
= ntlmssp_state
->recv_seal_key
;
428 recv_seal_blob
.length
= 16;
429 arcfour_init(&ntlmssp_state
->recv_seal_arc4_state
,
432 dump_arc4_state("NTLMSSP recv seal arc4 state:\n",
433 &ntlmssp_state
->recv_seal_arc4_state
);
435 ntlmssp_state
->ntlm2_send_seq_num
= 0;
436 ntlmssp_state
->ntlm2_recv_seq_num
= 0;
441 /* Hmmm. Shouldn't we also weaken keys for ntlmv1 ? JRA. */
443 DATA_BLOB weak_session_key
= ntlmssp_state
->session_key
;
445 Weaken NTLMSSP keys to cope with down-level clients, servers and export restrictions.
446 We probably should have some parameters to control this, once we get NTLM2 working.
449 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_128
) {
451 } else if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_56
) {
452 weak_session_key
.length
= 6;
453 } else { /* forty bits */
454 weak_session_key
.length
= 5;
456 dump_data_pw("NTLMSSP weakend master key:\n",
457 weak_session_key
.data
,
458 weak_session_key
.length
);
461 DATA_BLOB weak_session_key
= ntlmssp_weaken_keys(ntlmssp_state
, mem_ctx
);
463 DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
465 arcfour_init(&ntlmssp_state
->ntlmv1_arc4_state
,
468 dump_arc4_state("NTLMv1 arc4 state:\n",
469 &ntlmssp_state
->ntlmv1_arc4_state
);
471 ntlmssp_state
->ntlmv1_seq_num
= 0;
474 TALLOC_FREE(mem_ctx
);